Skip to content
Advertisement

How to store a password as securely in Chrome Extension?

I’m writing an Chrome extension right now which autofills credentials similar to Chrome’s autofill (in which case Chrome’s autofill fails).

Is there a secure way to store the username/password in localstorage (all client-side)? If I encrypt the password, won’t the key be locally stored as well effectively making the encryption useless?

Effectively, I want the user’s credentials to be as secure as they would be if Chrome itself was storing the credentials in its password manager.

EDIT: is storing the encrypted password in localstorage and the key in a text file within the extension directory a safe idea?

Answer

This is a lightning-rod issue. See http://blog.elliottkember.com/chromes-insane-password-security-strategy for more. The position most consistent with Chrome’s would be to encourage your users to use whole-disk encryption and to lock their screen when away from a logged-in machine. It’s difficult for userland code like an extension (or a browser, for that matter) to properly implement secure storage, where “properly” means “resistant to a password-recovery utility that anyone can download from the internet.”

You should file a feature request. It might be possible to expose a system-level API that does provide similar security to the underlying OS’s keychain.

Advertisement